TIMU Permissions: A Continuous Chain

Previously, we covered the basics of configuring permissions for any given TIMU content, whether it be a single task or an entire project. This time around, we're continuing our series on permissions by taking a look at configuring access control for more complicated nested project structures. These can be tricky to set up, but by the time we're done here you'll be able to manage these multi-tiered permissions structures like a pro!

Permissions as a Chain

It can be helpful to imagine TIMU's permissions as a chain that connects project content to the network. Content is accessed by following the chain one link at a time from the network, to projects, sub-projects, and so on. If a link is removed, the chain no longer reaches to all of the content. Any content beyond the missing link becomes inaccessible.

Project List Modules

One of the most common 'links' in the permissions chain is the Project List module. These modules can be added to a project to allow creation and attachment of sub-projects. By default, Project List modules will inherit permissions from their parent project, and copy those permissions to projects that are created or moved into the module. Not that these sub-projects do not inherit from the Project List module, so changes in the parent project's permissions will not automatically be applied to sub-projects. Likewise, the child project's permissions can be edited without affecting its parents or siblings.

Managing Client Collaborations

A common use for the Project List module is to create a multi-tiered project structure for collaborating with client accounts. In this structure, you have a project shared with each client. Client projects are contained in a larger project that might represent all of your accounts, or all clients in a geographic region. Many container projects like this one might exist inside a single larger project representing all markets or regions in your organization. Below is a visual representation of this structure.

Trimming Links from the Chain

This sort of structure is great for keeping things organized, but it has some problems. In the previous example, every user had permissions in every project and module. Your clients would be able to see their own projects, as well as the files in your other clients' projects, and internal communications in your company's projects! Some tighter access control is needed.

By selectively limiting permissions we can preserve the clients' project access, without letting them see content outside those projects. To create the necessary structure, we will break permissions inheritance at the higher levels of the structure and restrict access to modules other than the Project List modules. This will create 'pass-through' permissions that allow a client to access the container projects and the Project List modules, but not Tasks, Discussions, or Files in those projects. The client's permissions might resemble the following diagram:

Note that this configuration represents the minimum set of permissions; a 'chain' that reaches from the network, through both parent projects and their Project List modules, down to the client's project and its contents.

When the Chain Gets Broken

A common misstep in configuring these multi-tiered arrangements of projects is to omit one of the required intermediate links in the permissions chain. This typically happens when 'unnecessary' permissions are removed from a parent project, or when a user is invited to the project at the lowest tier without also being invited to the projects at higher levels.

The end result of a missing link in the permissions chain is Illustrated below. The invited user will be unable to access their project until the missing links are restored.

Closing Thoughts

There's a lot of details to remember when working in a complex multi-tiered project structure. Some permissions will need to be inherited, and some inheritances must be broken in order to balance project access with security. If you run into trouble, pause for a moment and remember the 'chain' of permissions and consider where a link might be missing. If you have questions, let us know in the comments section!